JP4860593B2 - Service providing system and service providing method - Google Patents

Description

  The present invention receives a link request from a link request terminal in which an external device is inserted, executes authentication processing of the link request terminal, and uses the authentication processing result of the link request terminal to The present invention relates to a service providing system and a service providing method for providing a service in response to a service request.

  Conventionally, there is a technique for authenticating an ID corresponding to a user contract of a communication service without depending on the position of the user or the terminal for the purpose of providing a communication service that enables the movement of the user or the terminal. .

  For example, in a 3G mobile phone service using the GSM (Global System for Mobile Communications) method, a SIM (Subscriber Identification Module) in which the ID and authentication information corresponding to the service user is recorded is distributed from the mobile phone operator to the user. Then, the user is authenticated by using the service with the SIM inserted in the portable terminal.

  By the way, recently, a technique for use in a terminal device different from a terminal device used when using a communication service for which a contract has already been established has been studied.

  For example, in Non-Patent Document 1, a PAN (Personal Area Network) for connecting a mobile phone terminal and a peripheral terminal (for example, a PC, a PDA, an information home appliance or a public shared terminal) existing around the mobile phone terminal is described. A technology for constructing and using a communication service by linking a mobile phone terminal and a peripheral terminal is disclosed. Specifically, after establishing a communication session with a mobile phone terminal for which a communication service use contract has been completed, the user of the communication service uses the information reception address and source address related to this communication session as the addresses of peripheral terminals. Switch. And the user of the communication service can use the communication service using the peripheral terminal by receiving the access authentication of the peripheral terminal using the ID and authentication information recorded in the SIM in the mobile phone terminal. It becomes.

Shozo Fujino, Yoshihiko Motomoto, “Authentication procedure and terminal switching method in PAN system”, IEICE Technical Report, IEICE, February 23, 2006, Vol.105, No.627, p.169-172

  However, the above-described conventional technology has a problem that it cannot be used with a portable terminal device that can carry a service corresponding to a fixed communication service for which a contract has already been established. That is, the ID authentication of the fixed communication service is performed based on the line position where the fixed communication service contract is made, but it is virtually impossible to move the line position. There is a problem that it is not possible to use a portable terminal device that can carry a service corresponding to the.

  Accordingly, the present invention has been made to solve the above-described problems of the prior art, and a service providing system and service that can be used in a portable terminal device that can carry a service corresponding to a fixed communication service. An object is to provide a providing method.

  In order to solve the above-described problems and achieve the object, the present invention receives a link request from a link request terminal in which an external device is inserted, and executes processing according to the link request, and also from the service request terminal. A service providing system that provides a service corresponding to the service request of the user, and when the authentication of the external device ID included in the link request is successful, the external device ID acquisition that acquires the external device ID that has been successfully authenticated Means, a line corresponding to the transmission source of the link request, a line ID obtaining means for obtaining a line ID for identifying the line, an external device ID obtained by the external device ID obtaining means, Link information registration means for registering the line ID acquired by the line ID acquisition means in association with each other; A permitted service information storage unit that stores a contracted line ID for which provision of a service according to the service is permitted and permitted service information for identifying a service permitted to be provided for the contracted line, and the service When the external device ID included in the request is successfully authenticated, a line ID corresponding to the external device ID included in the service request is acquired from the line IDs registered by the link information registration unit. The permission line is associated with the matching contract line ID on the condition that the contract line ID matching the acquired line ID exists in the contract line ID stored in the permission service information storage unit. Service providing means for providing a service according to the permitted service information stored in the service information storage means. And features.

  Further, according to the present invention, in the above invention, when the link information registration unit registers the external device ID and the line ID in association with each other, whether or not registration is possible with respect to a contractor terminal corresponding to the line ID. Further, a registration permission / inquiry inquiry means for inquiring is provided.

  In the present invention, the present invention further comprises revocation information acquisition means for acquiring revocation information indicating revocation of information for proving the external device ID, and the link information registration means includes the revocation information acquisition means. Confirming the revocation information obtained by the above, and deleting the external device ID and the line ID linked to the revocation information from the registration record, and the service providing means sends a service request from the service requesting terminal. Each time it is received, it is confirmed whether or not the external device ID included in the service request is associated with the revocation information acquired by the revocation information acquisition means, and is associated with the revocation information. If it is confirmed that the authentication is successful, the service request terminal that is the source of the service request is notified that the authentication was not successful. And wherein the door.

  Further, the present invention provides a service that can be used for each user in order to associate the external device ID acquired by the external device ID acquisition unit and the line ID acquired by the line ID acquisition unit. User information determining means for determining user information for identifying the user information, wherein the link information registering means associates the user information determined by the user information determining means in association with the external device ID and the line ID. The authorized service information storage means stores the contracted line ID or the user information in association with the authorized service information, and the service providing means stores the authorized service information in the authorized service information by the authorized service information storage means. When the user information is stored in association with the link information registration means, User information corresponding to the external device ID included in the service request is acquired from the registered user information, and user information that matches the acquired user information is stored in the permitted service information storage unit. A service corresponding to the permitted service information stored in the permitted service information storage means in association with the matching user information is provided on condition that the user information exists in the user information.

  Further, the present invention provides the above-described invention, the setting information storage means for storing the setting information set in the device under each line in association with the line ID for specifying the line to be managed, A line ID search means for searching for a line ID corresponding to the setting information indicating the transmission source of the link request from the line IDs stored by the setting information storage means, and a line ID searched by the line ID search means Link request transfer means for transferring the link request while protecting the integrity of the link request, and the line ID acquisition means includes the link request transferred by the link request transfer means. In analysis, when the integrity of the link request is protected, a circuit ID is obtained from the link request.

  Further, the present invention is the above invention, wherein the service providing means stores the line ID acquired from the line IDs registered by the link information registration means by the contracted line ID storage means. If it is determined that the line ID is in an available state, the service request terminal determines whether the line ID is in an available state. It is characterized by providing a service according to the service request.

  The present invention also provides a service that receives a link request from a link request terminal in which an external device is inserted, executes a process according to the link request, and provides a service according to the service request from the service request terminal A method for providing an external device ID acquisition step of acquiring an external device ID for which the authentication has succeeded when authentication of the external device ID included in the link request is successful, and corresponding to a transmission source of the link request A line ID acquisition step for identifying a line to be identified and acquiring a line ID for identifying the line, an external device ID acquired by the external device ID acquisition step, and a line acquired by the line ID acquisition step A link information registration step for registering the ID in the storage unit in association with the ID, and a service corresponding to the service request. A permitted service information storage step of storing in a storage unit a contracted line ID permitted to provide a service and permitted service information for identifying a service permitted to be provided for the contracted line; If the authentication of the external device ID included in the request is successful, a line ID corresponding to the external device ID included in the service request is selected from the line IDs registered in the storage unit by the link information registration step. The acquired contracted line ID is obtained on the condition that the contracted line ID that matches the acquired line ID exists in the contracted line ID stored in the storage unit by the permitted service information storage step. A service corresponding to the permitted service information stored in the storage unit by the permitted service information storage step is provided in association with Characterized in that it includes a service providing step that, a.

  Further, in the above invention, when the external device ID and the line ID are registered in the storage unit in association with each other in the link information registration step, the present invention applies to the contractor terminal corresponding to the line ID. A registration availability inquiry step for inquiring registration availability is further included.

  The present invention further includes a revocation information acquisition step of acquiring revocation information indicating revocation of information for proving the external device ID in the above invention, wherein the link information registration step includes the revocation information acquisition step. Confirming the revocation information acquired by the above, and deleting the external device ID and the line ID associated with the revocation information from the registration record, and the service providing step receives a service request from the service requesting terminal. Each time it is received, it is confirmed whether or not the external device ID included in the service request is associated with the revocation information acquired by the revocation information acquisition step, and is associated with the revocation information. If it is confirmed that the service request terminal has been successfully authenticated, And notifies the bought was that.

  Further, the present invention provides the setting information storage step of storing in the storage unit the setting information set in the devices under each line in association with the line ID for specifying the line to be managed in the above invention. A line ID search step for searching for a line ID corresponding to the setting information indicating the transmission source of the link request from the line IDs stored in the storage unit by the setting information storage step; and the line ID search means A link request transfer step of assigning to the link request the line ID retrieved by the link request, and transferring the link request while protecting the integrity of the link request, wherein the line ID acquisition step includes the link request transfer step, Analyzing the forwarded link request and obtaining the line ID from the link request if the integrity of the link request is protected And features.

  ADVANTAGE OF THE INVENTION According to this invention, it can be utilized with the portable terminal device which can carry the service corresponding to a fixed communication service. That is, the service using side associates a line ID corresponding to the fixed communication service with an external device ID that identifies the moving external device, so that authentication based on the line ID associated with the external device ID is performed. If the customer is moving for a fixed communication service customer, the service provider can move the customer while identifying the ID of the fixed communication service contract of the customer. Service can be provided.

  Further, according to the present invention, when registering the external device ID and the line ID in association with each other, the contractor terminal corresponding to the line ID is inquired of whether or not registration is possible, so the line contractor confirms the intention. In addition, it is possible to prevent an unauthorized user unintended by the line contractor or registration due to an unauthorized request.

  In addition, according to the present invention, revocation information indicating that information for certifying the external device ID (an electronic certificate issued by a third party outside the system, an electronic signature, etc.) has expired is acquired and confirmed. Each time the external device ID and line ID linked to the revocation information are deleted from the registration record and a service request is received from the service request terminal, the external device ID included in the service request is linked to the revocation information. If it is confirmed that it is associated with the revocation information, the service request terminal that is the source of the service request is successfully authenticated. Since it is notified that the external device ID has not expired, unauthorized access from a user whose external device ID has expired can be avoided.

  Further, according to the present invention, in order to associate the external device ID and the line ID with each other, user information for identifying a service that can be used for each user is determined, and the external device ID is used as the association information regarding the use of the service. The user information is registered in association with the line ID, the contract line ID or the user information is stored in association with the permitted service information as the authorization information to be referred to when providing the service, and the user information is stored in association with the permitted service information. The user information corresponding to the external device ID included in the service request is acquired from the user information registered as the association information, and the user information that matches the acquired user information is authorized. Corresponding to matching user information on condition that it exists in user information stored as information We provide a service according to the authorization service information stored in the authorization information can be provided by being individually managed services available to each user.

  Further, according to the present invention, the setting information (for example, VLAN (Virtual LAN) ID) set in the device under each line is stored in association with the line ID for specifying the line to be managed. The line ID corresponding to the setting information indicating the link request transmission source is searched from the stored line IDs, and the searched line ID is assigned to the link request to protect the integrity of the link request. If the link request is analyzed and the integrity of the link request is protected, the line ID is obtained from the link request. For example, the line corresponding to the source of the link request In order to specify the link request, the line corresponding to the transmission source of the link request acquired based on the VLAN (Virtual LAN) ID without previously acquiring the IP address allocated to the terminal under the line to be managed. The ID and the external device ID of the external device carried by the user at the destination can be registered in association with each other.

  Further, according to the present invention, when the line ID corresponding to the external device ID included in the service request exists in the contracted line ID, it is further determined whether or not the line ID is in an available state. However, if it is determined that the service is available, a service corresponding to the service request from the service request terminal is provided, so a line whose contract has expired or a line that has been temporarily suspended It is possible to prevent the provision of services based on.

  Exemplary embodiments of a service providing system and a service providing method according to the present invention will be described below in detail with reference to the accompanying drawings. In the following, after describing the service providing system according to the first embodiment as an embodiment for carrying out the present invention, another embodiment for carrying out the present invention will be described as another embodiment.

  In the following first embodiment, the outline and features of the service providing system according to the first embodiment, the configuration and processing of the service providing system will be described in order, and finally the effects of the first embodiment will be described.

[Outline and Features of Service Providing System (Example 1)]
First, the outline and features of the service providing system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining the outline and features of the service providing system according to the first embodiment.

  The service providing system according to the first embodiment receives a link request from the link request terminal in which the external authentication device is inserted, executes a process according to the link request, and responds to the service request from the service request terminal. Although the outline is to provide a service, the main feature is that it can be used in a portable terminal device that can carry a service corresponding to a fixed communication service.

  Specifically, as shown in FIG. 1, the service providing system according to the first embodiment includes a link request terminal, a link device, a link storage device, a service request terminal, a service providing device, and an external ID authentication device. Consists of.

  When the link request terminal accepts a link request transmission instruction from the user together with the insertion of the external authentication device, the link request terminal transmits a link request to the link device via the wireless AP (wireless access point) and the HGW (home gateway) (FIG. 1). (See (1)). Here, the link request is a message requesting that an external ID uniquely assigned to the external authentication device and a line ID for identifying the line that is the transmission source of the link request are registered in association with each other. .

  The link device has a line ID (for example, “Line 2A”, “Line 3A”) of a line to be managed and an IP address (for example, “100.1.2.10”, “100.1” assigned to a terminal under each line. 3.10 ”) and manage them in advance. When the link request is received from the link request terminal (see (2) in FIG. 1), the link device authenticates the external ID included in the link request (see (3) in FIG. 1). When the authentication of the external ID is successful, the link device acquires the external ID that has been successfully authenticated, and also acquires the source IP address that is the source of the link request (see (4) in FIG. 1).

  Subsequently, the link device searches and acquires the line ID corresponding to the source IP address acquired previously from the line IDs managed as management targets (see (5) in FIG. 1). Then, the link device transmits a registration request to the link storage device so as to register the acquired external ID (for example, “Out 001” and “Out 002”) and the line ID in association with each other. The link storage device registers and stores the external ID and the line ID, which are the targets of the registration request, as link information in association with each other (see (6) in FIG. 1).

  When a service request terminal installed at a location different from the link request terminal accepts a service request transmission instruction from the user while inserting an external authentication device for which link registration has been completed, the service request terminal transmits a service request to the service providing apparatus. (Refer to (7) in FIG. 1). When the service providing apparatus receives the service request (see (8) in FIG. 1), the service providing apparatus transmits an external ID authentication request included in the service request to the external ID authenticating apparatus (see (9) in FIG. 1).

  When the external ID authentication device receives the authentication request from the service providing device, the external ID authentication device authenticates the external ID included in the service request. When the external ID authentication is successful, the external ID authentication device acquires the external ID that has been successfully authenticated (FIG. 1 ( 10)). Subsequently, the external ID authentication device requests a link ID corresponding to the previously acquired external ID (eg, “Out 001”) from the link storage device (see (11) in FIG. 1), and from the link storage device. A line ID (for example, “Line 2A”) is acquired (see (12) in FIG. 1). Then, the external ID authentication device confirms whether or not the line ID that matches the line ID acquired from the link storage device exists in the contracted line ID that is permitted to provide the service (for example, wireless LAN connection). (Refer to (13) in FIG. 1). As a result of the confirmation, if there is a contract line ID that is permitted to provide the service that matches the line ID acquired from the link storage device, the external ID authentication device authenticates that the authentication is successful. The result and the service ID stored in association with the contracted line ID are transmitted to the service providing apparatus (see (14) in FIG. 1).

  When the service providing apparatus receives the authentication result indicating that the authentication has been successful and the service ID stored in association with the contracted line ID from the external ID authentication apparatus, a service corresponding to the service ID (for example, wireless LAN connection) Is provided to the service request terminal (see (15) in FIG. 1).

  For this reason, the service providing system according to the first embodiment can be used in a portable terminal device that can carry a service corresponding to a fixed communication service, as in the main feature described above.

[Configuration of Service Providing System (Example 1)]
Next, the configuration of the service providing system according to the first embodiment will be described with reference to FIGS. FIG. 2 is a diagram illustrating a configuration of the service providing system according to the first embodiment. FIG. 3 is a block diagram illustrating the configuration of each device in the service providing system according to the first embodiment. FIG. 4 is a diagram illustrating a configuration example of link information according to the first embodiment. FIG. 5 is a diagram illustrating a configuration example of the authorization rule according to the first embodiment.

  As shown in FIG. 2, the service providing system according to the first embodiment includes a link request terminal 120, a wireless AP (wireless access point) 10, an HGW (home gateway) 20, a link device 220, and a link storage device 210. A service request terminal 130, a service providing device 230 (wireless access point), an HGW 50, and an external ID authentication device 240. The link request terminal 120 is connected to a state communicable with the wireless AP 10 via the network 30, and the service request terminal 130 is connected to a state communicable with the service providing apparatus 230 via the network 70, and the HGW 20 and The HGW 50 is connected to the link device 220, the link storage device 210, and the external ID authentication device 240 in a communicable state via the network 40.

  As shown in FIG. 3, the external authentication device 110 inserted into the link request terminal 120 and the service request terminal 130 is, for example, an IC card (external device) such as a SIM card, a Juki card, or an employee card of a mobile phone terminal. And an input / output I / F unit 111 and an external ID authentication information generation unit 112 are provided.

  The input / output I / F unit 111 is an IC card for inputting / outputting data such as an external ID uniquely assigned to the external authentication device 110 between the link request terminal 120 and the service request terminal 130. Interface. The external ID authentication information generation unit 112 performs an external ID authentication process performed between the link request terminal 120 and the link device 220, and an external ID authentication performed between the service request terminal 130 and the external ID authentication device 240. Authentication information used in the processing is generated.

  3 is a device that accepts insertion of the external authentication device 110 from the user and makes a link request to the link device 220, and includes a communication unit 121 and an input / output I / F unit 122. And a link request unit 123.

  The communication unit 121 has an IP communication function for performing communication via a network. The input / output I / F unit 122 functions as an IC card interface with the external authentication device 110. The link request unit 123 transmits a link request to the link device 220, and returns authentication information received from the external authentication device 110 in response to the authentication request from the link device 220. Here, the link request is a message requesting that an external ID uniquely assigned to the external authentication device and a line ID for identifying the line used for transmission of the link request are registered in association with each other.

  3 is a device that performs processing related to a link request received from the link request terminal 120, and includes a communication unit 221, a link request reception unit 222, an external ID authentication unit 223, and a line ID confirmation. Part 224.

  The link request accepting unit 222 and the external ID authenticating unit 223 correspond to the “external device ID obtaining unit” recited in the claims, and the line ID confirming unit 224 includes the “line circuit” also recited in the claims. Corresponds to “ID acquisition means”.

  The communication unit 221 has an IP communication function for performing communication via a network. When the link request reception unit 222 receives a link request from the link request terminal 120, the link request reception unit 222 transmits an authentication request to the link request terminal 120. When the authentication information is received from the link request terminal 120, the external ID authentication unit 223 is requested to authenticate the external ID included in the link request.

  When the external ID authenticating unit 223 receives an authentication processing request from the link request receiving unit 222, the external ID authenticating unit 223 performs an external ID authenticating process included in the link request. For example, the external ID authenticating unit 223 performs bidirectional authentication with the link requesting terminal 120 by EAP-TLS (Extensible Authentication Protocol-Transport Layer Security), TLS, or the like. In this case, the external ID authenticating unit 223 also has a function as an EAP (Extensible Authentication Protocol) server.

  The external ID authenticating unit 223 is executed based on, for example, authentication information received from the link requesting terminal 120 (authentication information included in an EAP message exchanged with the link requesting terminal 120 in bidirectional authentication). When the two-way authentication is successful, the link request receiving unit 222 is notified that the authentication is successful.

  When the link request accepting unit 222 accepts the notification that the external ID authentication is successful from the external ID authenticating unit 223, the link request accepting unit 222 acquires the external ID included in the link request and the source IP address that is the source of the link request. Obtaining and requesting the line ID confirmation unit 224 to acquire the line ID of the line corresponding to the source IP address.

  The line ID confirmation unit 224 has a line ID (for example, “Line 2A”, “Line 3A”) of a line to be managed, and an IP address (for example, “100.1.2.10”) allocated to a terminal under each line. , “100.1.3.10”) and are managed in advance (see FIG. 1). When the line ID confirmation unit 224 receives the acquisition request for the line ID together with the source IP address from the link request reception unit 222, the source IP address received from the link request reception unit 222 among the line IDs managed as management targets. The line ID corresponding to is retrieved and acquired, and the acquired line ID is returned to the link request receiving unit 222.

  The link request reception unit 222 transmits to the link storage device 210 a registration request that requests the external ID acquired from the link request and the line ID returned from the line ID confirmation unit 224 to be registered in association with each other.

  The link storage device 210 is a device that receives a registration request from a link device and stores an external ID and a line ID in association with each other, and includes a communication unit 211 and a link storage unit 212. The link storage unit 212 corresponds to “link information registration unit” recited in the claims. The communication unit 211 has an IP communication function for performing communication via a network.

  When the link storage unit 212 receives a registration request from the link device 220, for example, as shown in FIG. 4, the external ID and the line ID that are the targets of the registration request are associated with each other and stored as link information. When the link storage unit 212 receives a request for a line ID corresponding to the external ID from the link device 220 and the external ID authentication device 240, the link storage unit 212 searches for the line ID corresponding to the request from the link information and returns it.

  The service request terminal 130 is a device that accepts insertion of the external authentication device 110 from the user and makes a service request to the service providing device 230. The service request terminal 130 includes a communication unit 131, a service input / output I / F unit 132, a service A request unit 133.

  The communication unit 131 has an IP communication function for performing communication via a network. The input / output I / F unit 132 functions as an IC card interface with the external authentication device 110. The service request unit 133 transmits a service request to the service providing apparatus 230 and returns authentication information received from the external authentication device 110 in response to the authentication request from the external ID authentication apparatus 240. Here, the service request is a message for requesting a service provided by the service providing apparatus 230.

  The service providing device 230 is a device that provides a service in response to a service request from the service requesting terminal 130, such as a wireless AP (wireless access point) that provides a wireless LAN connection to the service requesting terminal 130. Unit 231 and service providing unit 232. The communication unit 231 has an IP communication function for performing communication via a network.

  When the service providing unit 232 receives a service request from the service request terminal 130, the service providing unit 232 transmits an authentication request for the external ID included in the service request to the external ID authentication device 240 together with the authentication information received from the service request terminal 130. Then, when the service providing unit 232 receives the authentication result and the service ID indicating that the authentication is successful from the external ID authentication device 240, the service providing unit 232 provides the service request terminal 130 with a service (for example, wireless LAN connection) according to the service ID. .

  The external ID authentication device 240 is a device that receives an authentication request from the service providing device and performs authentication of the external ID, and includes a communication unit 241, an external ID authentication unit 242, and an authorization rule storage unit 243. The communication unit 241 has an IP communication function for performing communication via a network.

  The authorization rule storage unit 243 corresponds to the “permitted service information storage unit” described in the claims, and the service providing unit 232 and the external ID authentication unit 242 described above are also “ Corresponds to “service provision means”.

  For example, as shown in FIG. 5, the authorization rule storage unit 243 has a contracted line ID (for example, “Line 2A”, “Line 3A”) permitted to provide a service according to the service request, and the contracted line. The service ID (for example, “S 01”, “S 02”, etc.) for identifying the service permitted to be provided is associated and stored as an authorization rule.

  When receiving the external ID authentication request included in the service request from the service providing apparatus 230, the external ID authenticating unit 242 performs an external ID authentication process based on the authentication information transmitted from the service request terminal 130. For example, the external ID authenticating unit 242 executes bidirectional authentication with the service requesting terminal 130 by EAP-TLS (Extensible Authentication Protocol-Transport Layer Security). In this case, the external ID authenticating unit 242 also has a function as an EAP (Extensible Authentication Protocol) server.

  The external ID authenticating unit 242 is executed bidirectionally based on authentication information received from the service requesting terminal 130 (authentication information included in an EAP message exchanged with the link requesting terminal 120 in bidirectional authentication). If the authentication is successful, an external ID that is successfully authenticated is acquired. Then, the external ID authentication unit 242 acquires the user ID included in the EAP message from the service request terminal 130 and determines the ID type. If the external ID of the ID type is determined as a result of the determination, a line ID corresponding to the previously acquired external ID is requested to the link storage device 210.

  When the external ID authenticating unit 242 acquires the line ID from the link storage device 210, it is determined whether or not a line ID that matches the line ID exists in the contracted line ID stored in the authorization rule storage unit 243. Check. As a result of the confirmation, if there is a contract line ID stored in the authorization rule storage unit 243 that matches the line ID acquired from the link storage device 210, the external ID authentication unit 242 performs link storage. The service providing apparatus 230 obtains the service ID stored in the authorization rule storage unit 243 in association with the contracted line ID that matches the line ID acquired from the apparatus 210, and the authentication result and the service ID indicating that the authentication has been successful. Send to.

  Further, the external ID authenticating unit 242 includes the line ID acquired from the link storage device 210 in the contracted line ID stored in the external authorization rule storage unit 243 when the external ID authentication is not successful. If there is no match, the service request terminal 130 is notified that the authentication has failed.

  The link request terminal 120 and the service request terminal 130 are connected to information processing apparatuses such as a personal computer, an Internet TV, a PDA, or a mobile phone, a PHS terminal, and an IP phone terminal. It can be realized by mounting each processing function unit described above such as an I / F unit.

  Further, the link device 220, the link storage device 210, and the external ID authentication device 240 described above are added to information processing devices such as known personal computers and workstations to the above functions (communication unit, input / output I / F unit, etc.). The service providing device 230 can be realized by installing the above-described processing function units) on a Web server that provides a video distribution service and a voice call in addition to a wireless AP that provides a wireless LAN connection. It may be equipped with a function.

  Note that, between the link request terminal 120 and the link device 220, or between the service request terminal 130 and the external ID authentication device 240, TLS (Transport Layer Security) or EAP-TLS (Extensible Authentication Protocol-Transport Layer Security). The network 30 and 70 shown in FIG. 2 are wired connection, or the service providing device 230 is a WWW server or a SIP (Session Initiation Protocol) server. Depending on the case, various authentication methods (for example, authentication using a shared key or password authentication) can be employed.

  In addition, an external ID authentication device is newly provided without executing external ID authentication between the link request terminal 120 and the link device 220, and external ID authentication with the link request terminal 120 is executed. Good.

  Also, the external ID authentication function is newly installed in the HGW 50 without executing the external ID authentication by EAP-TLS between the service request terminal 130 and the external ID authentication device, and the service request terminal 130 and the HGW 50 are connected. In this case, external ID authentication may be executed.

[Processing of Service Providing System (Example 1)]
Then, the process by the service provision apparatus based on Example 1 is demonstrated using FIGS. FIG. 6 is a sequence diagram illustrating the flow of the link related processing according to the first embodiment. FIG. 7 is a diagram for explaining the flow of processing by the service providing apparatus according to the first embodiment. FIG. 8 is a sequence diagram illustrating the flow of the link related processing according to the first embodiment. FIG. 9 is a sequence diagram illustrating a flow of service-related processing according to the first embodiment.

[Link-related processing (Example 1)]
First, the flow of the link related process according to the first embodiment will be described with reference to FIGS. 6 and 7. As illustrated in FIG. 6, when the link request terminal 120 receives a link request transmission instruction from the user along with the insertion of the external authentication device 110, the link request terminal 120 transmits a link request to the link device 220 via the wireless AP 10 (step S601, FIG. 7 (1)).

  When the link request is received from the link request terminal 120, the link device 220 transmits an authentication request to the link request terminal 120 (see step S602, (2) in FIG. 7). Then, for example, bidirectional authentication by TLS (Transport Layer Security) is executed between the link request terminal 120 and the link device 220 (see step S603, (3) in FIG. 7).

  If the link device 220 succeeds in the two-way authentication, the link device 220 acquires the external ID that has been successfully authenticated (step S604). Next, the link device 220 acquires the source IP address that is the source of the link request (step S605). Subsequently, the link device 220 searches and acquires the line ID corresponding to the source IP address acquired previously from the line IDs managed as management targets (see step S606, (4) in FIG. 7). Then, the link device 220 transmits a registration request for requesting registration to the link storage device 210 (see step S607, (5) in FIG. 7). The external ID and the line ID are associated and registered in the link storage device.

  When the link storage device 210 receives the registration request from the link device 220, the link storage device 210 associates the external ID that is the object of the registration request with the line ID, registers it as link information, and stores it (step S608). The link storage device 210 transmits the registration result to the link device 220 (step S609). The link device 220 transmits a link response indicating that the link is completed together with the registration result to the link request terminal 120 (see step S610, (6) in FIG. 7).

  In step S606 described above, if the HGW 20 has a NAPT (Network Address Port Translation) function and the source IP address of the link request transmission source is converted by this NAPT function, it has been converted. It is also possible to directly acquire the line ID corresponding to the existing IP address.

  In addition, as shown in step S603 of FIG. 6, the case where the two-way authentication by TLS is executed has been described. However, when the external authentication device 110 is a SIM card of a mobile phone terminal, it is shown in step S803 of FIG. As described above, two-way authentication by AKA can be executed. Other processes shown in FIG. 8 are the same as the processes shown in FIG.

[Service-related processing (Example 1)]
Next, the flow of service-related processing according to the first embodiment will be described with reference to FIGS. 9 and 7. As shown in FIG. 9, when the service request terminal 130 installed at a location different from the link request terminal 120 receives a service request transmission instruction from the user along with the insertion of the external authentication device 110 for which link registration has been completed, A service request is transmitted to the service providing apparatus 230 (step S901, see (7) in FIG. 7).

  When receiving the service request from the service request terminal 130, the service providing apparatus 230 transmits an authentication request to the service request terminal 130 (see step S902, (8) in FIG. 7). When the external ID authentication device 240 receives an external ID authentication request included in the service request from the service providing device 230, the external ID authentication device 240, for example, between the service request terminal 130 and the external ID authentication device 240, for example, EAP-TLS (Extensible). Two-way authentication is performed by Authentication Protocol-Transport Layer Security (see step S903, (9) in FIG. 9).

  If the external ID authentication device 240 succeeds in the two-way authentication, the external ID authentication device 240 acquires the external ID that has been successfully authenticated (step S904). Subsequently, the external ID authentication device 240 acquires the user ID included in the EAP message received from the service request terminal 130 and determines the ID type (step S905). As a result of the determination, if the ID type is an external ID, a line ID corresponding to the previously acquired external ID is requested to the link storage device 210 (see step S906, (10) in FIG. 7).

  When the link storage device 210 receives the request for the line ID corresponding to the external ID from the link device 220 and the external ID authentication device 240, the link storage device 210 searches the link information for the line ID corresponding to the request (step S907). Then, the link storage device 210 returns the retrieved line ID to the external ID authentication device 240 (step S908, see (11) in FIG. 7).

  When the external ID authentication device 240 acquires the line ID from the link storage device 210, does the line ID that matches the line ID exist in the contracted line ID stored in the authorization rule (see FIG. 5)? It is confirmed whether or not (step S909). As a result of the confirmation, if there is a contract line ID stored in the authorization rule that matches the line ID acquired from the link storage device 210, the external ID authenticating device 240 receives the link ID from the link storage device 210. The service ID stored in the authorization rule is acquired in association with the contracted line ID that matches the acquired line ID (see (12) in FIG. 7), and the authentication result and the service ID indicating that the authentication is successful are provided as a service. The data is transmitted to the providing device 230 (see step S910, (13) in FIG. 7).

  When the service providing apparatus 230 receives the authentication result and the service ID indicating that the authentication is successful from the external ID authentication apparatus 240, the service providing apparatus 230 transmits a service response that permits a service (for example, wireless LAN connection) according to the service ID, A service is provided to the service request terminal 130 (see step S911, (14) in FIG. 7).

  Then, a wireless connection is started by the user of the service request terminal 130 (step S912).

[Effects of Example 1]
As described above, according to the first embodiment, when the authentication of the external ID included in the link request is successful, the external ID that has been successfully authenticated is acquired and used to transmit the link request. To obtain a line ID for identifying the line, associate the external ID with the line ID and register it as link information, and a contracted line ID that is permitted to provide a service according to the service request; A service ID for identifying a service permitted to be provided for the contracted line is stored in association as an authorization rule, and is registered as link information when the external ID included in the service request is successfully authenticated. The line ID corresponding to the external ID included in the service request is acquired from the line IDs stored, and the contracted line ID that matches the acquired line ID is stored in the authorization rule. Service corresponding to the fixed communication service because the service corresponding to the service ID stored in the authorization rule is provided in association with the matching contracted line ID. Can be used in a portable terminal device that can be carried around. In other words, on the service using side, the line ID corresponding to the fixed communication service and the external ID for specifying the moving external device are linked, so that authentication based on the line ID linked to the external ID is received. The service provider can provide a mobile service for a customer of fixed communication service while identifying the ID of the fixed communication service contract of the customer when the customer is moving. Can be provided.

  In the first embodiment, the case where the external ID and the line ID are registered in association with each other as link information has been described. However, the present invention is not limited to this, and the permitted service is specified for each user. Service user IDs may be registered in association with each other. Therefore, in the following second embodiment, the outline and features of the service providing system according to the second embodiment, the configuration and processing of the service providing system will be described in order, and finally the effects of the second embodiment will be described.

[Outline and Features of Service Providing System (Example 2)]
Initially, the outline | summary and characteristic of the service provision system which concern on Example 2 are demonstrated using FIG. FIG. 10 is a diagram for explaining the outline and features of the service providing system according to the second embodiment.

  The service providing system according to the second embodiment has the same outline as the service providing system according to the first embodiment, but further includes a service user ID for specifying a service usable for each user in the external ID and the line ID. The main feature is that it is registered in association with each other. The service providing system according to the second embodiment is different from the service providing system according to the first embodiment in the points described below.

  That is, as shown in FIG. 10, the link device succeeds in the authentication of the external ID included in the link request, and after providing the external ID and the line ID corresponding to the external ID, the link device is permitted to provide the contracted line. For each service to be performed, a service user ID (for example, “Serv 201”) in which a usable user is set is registered in the link storage device as link information in association with the external ID and the line ID (FIG. 10). (See (6)).

  Then, when the external ID authentication device succeeds in authenticating the external ID included in the service request from the service request terminal, the external ID authentication device acquires the external ID that has been successfully authenticated, and obtains the service user ID corresponding to the external ID from the link storage device. Obtain (see (12) in FIG. 10). In the external ID authentication device, the service user ID that matches the service user ID acquired from the link storage device exists in the service user ID permitted to provide the service (for example, wireless LAN connection). (See (13) in FIG. 10). As a result of the confirmation, if there is a service user ID that is permitted to provide a service that matches the service user ID acquired from the link storage device, the external ID authentication device has succeeded in authentication. The authentication result to this effect and the service ID stored in association with the service user ID are transmitted to the service providing apparatus (see (14) in FIG. 10).

[Configuration of Service Providing System (Example 2)]
Next, the configuration of the service providing system according to the second embodiment will be described with reference to FIGS. FIG. 11 is a block diagram illustrating the configuration of each device in the service providing system according to the second embodiment. FIG. 12 is a diagram illustrating a configuration example of link information according to the second embodiment. FIG. 13 is a diagram illustrating a configuration example of an authorization rule according to the second embodiment.

  Each device configuration in the service providing system according to the second embodiment is basically the same as each device in the service providing system according to the first embodiment, but differs in the points described below.

  That is, the link device 220 newly includes a service user ID determination unit 225. The service user ID determination unit 225 determines a service user ID for identifying a service that can be used for each user.

  Hereinafter, a method for determining the service user ID by the service user ID determination unit 225 will be specifically described.

  For example, a case where a line contractor uses a service user ID that has been paid in advance for each service from a communication carrier at the time of the line contract will be described below. When the link request is received from the link request terminal 120, the link device 220 returns a message requesting the input of the service user ID together with the authentication request. When the service user ID input request is received from the link device 220, the user who transmitted the link request from the link request terminal 120 (for example, the family of the line contractor) is for the service that has been previously paid out by the telecommunications carrier. Enter your user ID.

  The link device 220 succeeds in the authentication of the external ID included in the link request, the external ID that has been successfully authenticated, and the line ID associated with the transmission source in the link request (the line corresponding to the source IP address of the transmission source of the link request) ID) is determined, the service user ID that has received the input from the link request terminal 120 is determined as the service user ID for identifying the service that can be used for each user, and the external ID, the line ID, and the service ID A registration request is transmitted to the link storage device 210 so that the user ID is associated and registered as link information.

  When the link storage device 210 receives the registration request from the link device 220, for example, as shown in FIG. 12, the link storage device 210 receives an external ID (for example, “Out 001”) and a line ID (for example, “Line 2A” as a target of the registration request. )) And the service user ID (for example, “Serv 201”) are registered and stored as link information.

  Next, for example, a case where a newly created service user ID is used in response to receiving a link request from the link request terminal 120 will be described below. When a link request is received from the link request terminal 120, the link device 220 returns a message requesting input of a service user ID or selection of use of a new service user ID together with an authentication request.

  When the link device 220 accepts the selection of the use of the new service user ID, the link device 220 succeeds in authenticating the external ID included in the link request, and associates the external ID successfully authenticated and the link request transmission source. After acquiring the line ID (line ID corresponding to the source IP address of the link request transmission source), the newly generated service user ID is determined as a service user ID for identifying a service that can be used for each user. Then, a registration request is transmitted to the link storage device 210 so that the external ID, the line ID, and the service user ID are associated and registered as link information.

  After registration in the link storage device 210 is completed, the link device 220 returns the newly generated service user ID as a link response to the link request terminal 120, and the user of the link request terminal 120 sends a link response from the link device 220. The service can be used by requesting the line contractor to permit the provision of the service to the service user ID returned as.

  The external ID authentication device 240 is newly generated by the service user ID issued from the communication carrier to the line contractor or the link device 220 based on the contract between the line contractor and the communication carrier. For each service user ID (for example, “Serv 201” or “Serv 202”), a service ID (for example, “S01, S02, S03” or “S01, S02” for identifying a service permitted to be provided) Etc.) as an authorization rule.

  When the external ID authentication device 240 successfully authenticates the external ID included in the service request from the service request terminal 130, the external ID authentication device 240 requests the link storage device 210 for a service user ID corresponding to the external ID that has been successfully authenticated. When the service user ID is acquired from the link storage device 210, it is confirmed whether or not this service user ID exists in the service user ID stored as the authorization rule. As a result of confirmation, if there is a service user ID stored as an authorization rule that matches the service user ID acquired from the link storage device 210, the service user ID is associated with the service user ID. The service ID stored in the authorization rule is acquired and transmitted to the service providing apparatus 230 together with the authentication result indicating that the authentication is successful.

  When the service providing apparatus 230 receives the authentication result and the service ID indicating that the authentication is successful from the external ID authenticating apparatus 240, the service providing apparatus 230 provides the service request terminal 130 with a service (for example, wireless LAN connection) according to the service ID.

  For example, when the link device 220 is a Web server, the exchange regarding the service user ID executed between the link request terminal 120 and the link device 220 is realized by using a Web menu by http communication. can do.

[Processing of Service Providing System (Example 2)]
Then, the process by the service provision apparatus based on Example 2 is demonstrated using FIGS. 14-16. FIG. 14 is a sequence diagram illustrating the flow of the link related processing according to the second embodiment. FIG. 15 is a diagram for explaining the flow of processing by the service providing apparatus according to the second embodiment. FIG. 16 is a sequence diagram illustrating a flow of service-related processing according to the second embodiment.

[Link-related processing (Example 2)]
First, the flow of link related processing according to the second embodiment will be described with reference to FIGS. 14 and 15. In the link related process according to the second embodiment, the process of step S1407 illustrated in FIG. 14 is different from the link related process according to the first embodiment (see FIG. 6).

  That is, the link device 220 succeeds in the authentication of the external ID included in the link request, corresponds to the external ID that has been successfully authenticated, and the line ID associated with the transmission source in the link request (corresponding to the source IP address of the transmission source of the link request) If the service user ID received from the link request terminal 120 is acquired, the service user ID for identifying the service that can be used for each user is determined (step S1407, FIG. 15). (See (5)).

  Alternatively, the link device 220 succeeds in the authentication of the external ID included in the link request, corresponds to the external ID that has been successfully authenticated, and the line ID associated with the transmission source in the link request (corresponding to the source IP address of the transmission source of the link request) The service user ID newly generated is acquired as a service user ID for specifying a service that can be used for each user (see step S1407, (5) in FIG. 15).

  The link device 220 transmits a registration request to the link storage device 210 so that the external ID, the line ID, and the service user ID are registered in association with each other (step S1408). When the link storage device 210 receives the registration request from the link device 220, the link storage device 210 registers and stores the external ID, the line ID, and the service user ID to be registered in association with each other (step S1409, (6 in FIG. 15). )reference).

[Service-related processing (second embodiment)]
First, the flow of service-related processing according to the second embodiment will be described with reference to FIGS. 16 and 15. Note that the service-related processing according to the second embodiment differs from the service-related processing according to the first embodiment (see FIG. 9) in the processing from step S1606 to step S1609 illustrated in FIG.

  That is, when the external ID authentication device 240 successfully authenticates the external ID included in the service request from the service request terminal 130, the external ID authentication device 240 requests the link storage device 210 for a service user ID corresponding to the external ID that has been successfully authenticated. (See step S1606, (11) in FIG. 15). Then, the external ID authentication device 240 acquires the service user ID from the link storage device 210 (step S1608, see (12) in FIG. 15).

  After acquiring the service user ID, the external ID authentication device 240 checks whether or not a line ID that matches the service user ID exists in the service user ID stored as the authorization rule ( Step S1609). As a result of confirmation, if there is a service user ID stored as an authorization rule that matches the service user ID acquired from the link storage device 210, the service user ID is associated with the service user ID. The service ID stored in the authorization rule is acquired (see (13) in FIG. 15), and in the service providing apparatus 230 together with the authentication result indicating that the authentication is successful, as in the first embodiment. Transmit (see step S1610, (14) in FIG. 15).

[Effects of Example 2]
As described above, according to the second embodiment, a service user ID for specifying a service that can be used for each user is determined in association with an external ID and a line ID, and the external ID and the link information are used as link information. The service user ID is registered in association with the line ID, the service user ID is stored in association with the service ID as the authorization rule, and the service user ID registered as link information in association with the service ID. The service user ID corresponding to the external ID included in the service request is acquired from the inside, and the service user ID that matches the acquired service user ID is stored in the authorization rule in association with the service ID. On the condition that it exists in the service user ID that matches the service user ID It provides a service corresponding to the service ID stored in the Le, it is possible to provide managed individually providable services for each user.

  In the first embodiment, the case has been described in which the line ID of the line to be managed and the IP address allocated to the terminal under each line are associated with each other in advance, but the present invention is not limited to this. For example, the line ID of the line to be managed and the setting information (for example, VLAN (Virtual LAN) ID) set in the device under each line are associated and managed in advance. Also good. Therefore, in the following third embodiment, the outline and features of the service providing system according to the third embodiment, the configuration and processing of the service providing system will be described in order, and finally the effects of the third embodiment will be described.

[Outline and Features of Service Providing System (Example 3)]
Initially, the outline | summary and characteristic of the service provision system which concern on Example 3 are demonstrated using FIG. FIG. 17 is a diagram for explaining the outline and features of the service providing system according to the third embodiment.

  The service providing system according to the third embodiment has the same outline as the service providing system according to the first embodiment, but the line ID of the line to be managed and the VLAN (Virtual LAN) set in the device under each line The main feature is that IDs (hereinafter referred to as VLANIDs as appropriate) are managed in advance in association with each other. The service providing system according to the third embodiment is different from the service providing system according to the first embodiment in the points described below.

  That is, as shown in FIG. 17, the service providing system according to the third embodiment is configured to newly include a transfer device installed between networks and a use line guarantee device connected to the transfer device.

  The used line guarantee device corresponds to the line ID (for example, “Line 2A”) of the line to be managed and the VLAN ID (for example, “10”) set in the wireless AP that is a device under each line. They are stored together and managed as line management information. This VLAN ID has a role as information (information for uniquely identifying the wireless AP to the transfer device) indicating the transmission source of the link request transmitted from the link requesting terminal.

  When the transfer device receives the link request from the link request terminal (see (1) in FIG. 17), the transfer device transfers the received link request to the use line guarantee device.

  Further, when the used line guarantee device receives the link request transferred from the transfer device, it searches the line management information for a line ID corresponding to the VLAN ID indicating the transmission source of the link request. Then, the searched line ID is added to the link request, and an electronic signature is added to the link request and returned to the transfer apparatus (see (2) in FIG. 17).

  The transfer device transmits the link request returned from the use line guarantee device to the link device.

  When the link device receives the link request from the transfer device (see (3) in FIG. 17), the link device verifies the electronic signature given to the link request, and if no falsification of data is detected, the link device adds it to the link request. The acquired line ID is acquired (see (4) in FIG. 17). Then, the link device performs authentication of the external ID included in the link request and subsequent processing, as in the first embodiment.

[Configuration of Service Providing System (Example 3)]
Next, the configuration of the service providing system according to the third embodiment will be described with reference to FIGS. 18 and 19. FIG. 18 is a diagram illustrating the configuration of the service providing system according to the third embodiment. FIG. 19 is a block diagram illustrating the configuration of each device in the service providing system according to the third embodiment.

  The service providing system according to the third embodiment and the device configurations in the service providing system are basically the same as the devices in the service providing system and the service providing system according to the first embodiment, but will be described below. The point to do is different.

  That is, as illustrated in FIG. 18, the service providing system according to the third embodiment newly includes a transfer device 310 connected to the HGW 20 and the network 40 between the network 30 and the network 40, and the transfer device 310 includes the transfer device 310. A connected use line guaranteeing device 320 is newly provided.

  When the transfer device 310 receives the link request from the link request terminal 120, the transfer device 310 transfers the received link request to the use line guarantee device 320 and transmits the link request returned from the use line guarantee device 320 to the link device 220. It is.

  The used line guarantee device 320 is a device that manages the subordinate lines, and includes a communication unit 321, a VLAN storage unit 322, and a link request transfer unit 323 as shown in FIG. 19. The communication unit 321 has a function of controlling communication performed with the transfer device 310. The link request transfer unit 323 and the transfer device 310 of the used line guarantee device 320 correspond to “line ID search means” and “link request transfer means” described in the claims.

  The VLAN storage unit 322 associates the line ID of the line to be managed (for example, “Line 2A”) with the VLAN ID (for example, “10”) set in the wireless AP that is a device under each line. It is also stored as line management information.

  When the link request transfer unit 323 receives the link request transferred from the transfer device 310, the link request transfer unit 323 selects a line ID corresponding to the VLAN ID indicating the link request transmission source from the line management information stored in the VLAN storage unit 322. Search for. Then, the retrieved line ID is added to the link request, and an electronic signature is added to the link request and returned to the transfer device 310.

  When the link device 220 receives the link request from the transfer device 310, the link device 220 verifies the electronic signature attached to the link request, and if no falsification of data is detected, obtains the line ID added to the link request. To do.

[Processing of Service Providing System (Example 3)]
Subsequently, processing performed by the service providing apparatus according to the third embodiment will be described with reference to FIG. FIG. 20 is a sequence diagram illustrating the flow of the link related processing according to the third embodiment. In the link related process according to the third embodiment, the processes in steps S2002 to S2008 illustrated in FIG. 20 are different from the link related process according to the first embodiment (see FIG. 6 or FIG. 8).

  That is, when receiving the link request from the link request terminal 120, the transfer device 310 transfers the received link request to the use line guarantee device 320 (step S2002).

  When the used line guaranteeing device 320 receives the link request transferred from the transfer device 310, the used line guaranteeing device 320 searches the line management information for the line ID corresponding to the VLAN ID indicating the transmission source of the link request, and finds the searched line ID. Is added to the link request (step S2003). Further, the used line guaranteeing device 320 gives an electronic signature to the link request (step S2004). The used line guaranteeing device 320 adds a line ID and returns a link request with an electronic signature to the transfer device 310 (step S2005).

  The transfer device 310 transmits the link request returned from the use line guarantee device 320 to the link device 220 (step S2006).

  When receiving the link request from the transfer device 310, the link device 220 verifies the electronic signature attached to the link request (step S2007). If the tampering of the data is not detected as a result of verifying the electronic signature, the link device 220 acquires the line ID added to the link request (step S2008). Then, the link device 220 performs authentication of the external ID included in the link request and subsequent processing in the same manner as in the first embodiment (steps S2009 to S2015).

[Effects of Example 3]
As described above, according to the third embodiment, the VLAN ID set in the device under each line is stored as the line management information in association with the line ID for specifying the line to be managed, The line ID corresponding to the VLAN ID indicating the link request transmission source is searched from the line IDs stored in the line management information, and the searched line ID is assigned to the link request to complete the link request. When the link request is analyzed and the integrity of the link request is protected, the line ID is obtained from the link request. For example, the link request source In order to identify the line corresponding to the link, the link requirement acquired based on the VLAN (Virtual LAN) ID without acquiring the IP address assigned to the terminal under the line to be managed in advance. It is possible to register the line ID corresponding to the transmission source of the request and the external ID of the external device carried by the user at the destination.

  In the above-described embodiment, if there is a contract line ID that is allowed to provide a service that matches the line ID acquired from the link storage device, the line with the matching line ID can be used at this time. You may make it determine whether it is in a state. Therefore, in the following fourth embodiment, the outline and features of the service providing system according to the fourth embodiment, the configuration and processing of the service providing system will be described in order, and finally the effects of the fourth embodiment will be described.

[Outline and Features of Service Providing System (Example 4)]
First, the outline and features of the service providing system according to the fourth embodiment will be described with reference to FIG. FIG. 21 is a diagram for explaining the outline and features of the service providing system according to the fourth embodiment.

  The service providing system according to the fourth embodiment has the same outline as the service providing system according to the first embodiment, but matches the line ID acquired from the link storage device among the contracted line IDs permitted to provide the service. The main feature is that it is determined whether or not a line with a matching line ID is available at the present time when there is an existing one. The service providing system according to the fourth embodiment is different from the service providing system according to the first embodiment in the points described below.

  In other words, the external ID authentication device checks whether or not a line ID that matches the line ID acquired from the link storage device exists in the contracted line ID that is permitted to provide a service (for example, wireless LAN connection). As a result (see (13) in FIG. 21), if there is a line ID that matches the line ID acquired from the link storage device among the contracted line IDs permitted to provide the service, the line ID further matches. It is confirmed whether or not the line corresponding to the line ID is currently available (see (14) in FIG. 21).

  When the line corresponding to the line ID that is confirmed to match the contracted line ID is available, the external ID authenticating device uses the authentication result indicating that the authentication is successful and the contracted line ID. The service ID stored in association is transmitted to the service providing apparatus (see (15) in FIG. 21).

[Configuration of Service Providing System (Example 4)]
Next, the configuration of the service providing system according to the fourth embodiment will be described with reference to FIGS. FIG. 22 is a block diagram illustrating the configuration of each device in the service providing system according to the fourth embodiment. FIG. 23 is a diagram illustrating a configuration example of line state information according to the fourth embodiment.

  Each device configuration in the service providing system according to the fourth embodiment is basically the same as each device in the service providing system according to the first embodiment, but differs in the points described below.

  That is, the service providing system according to the fourth embodiment newly includes a line state storage device 330 as shown in FIG. The line state storage device 330 is a device that manages whether or not a line within its own control range is in a usable state, and includes a communication unit 331 having an IP communication function and a line state storage unit 332.

  The line state storage unit 332 collects the usage status of lines within its own grasp range and, for example, as shown in FIG. 23, the line ID of the line within its own grasp range (for example, “Line 2A” or “Line 3A”) and a use state (for example, “valid” or “invalid”) indicating whether or not the line is in an available state are associated with each other and stored as line state information.

  When the line state storage device 330 receives the line state inquiry from the external ID authentication device 240, the line state storage device 330 searches the line state storage unit 332 for a use state corresponding to the line ID included in the inquiry, and the external ID authentication device 240. Reply to

  In addition, the external ID authentication device 240 is newly provided with a line state confirmation unit 244. When the external ID authenticating unit 242 confirms that there is a line ID that matches the line ID acquired from the link storage device 210 among the contracted line IDs that are permitted to provide the service, the line state checking unit 244 An inquiry about the use state of the line corresponding to the line ID is transmitted to the line state storage device 330.

  The line state confirmation unit 244 may be in a state where the line corresponding to the line ID confirmed to match the contracted line ID is available based on the utilization state of the line ID received from the line state storage device 330. When it is confirmed, the service ID corresponding to the line ID is searched from the authorization rule, and the searched service ID and the authentication result indicating that the authentication is successful are transmitted to the service providing apparatus 230.

[Processing of Service Providing System (Example 4)]
Subsequently, processing performed by the service providing apparatus according to the fourth embodiment will be described with reference to FIG. FIG. 24 is a sequence diagram illustrating a flow of service-related processing according to the fourth embodiment. In the service-related processing according to the fourth embodiment, for example, the processes in steps S2410 to S2412 illustrated in FIG. 24 are different from the service-related processing according to the first embodiment (see FIG. 9).

  That is, the external ID authenticating device 240 responds to the line ID when it is confirmed that the contracted line ID permitted to provide the service matches the line ID acquired from the link storage device 210. An inquiry about the use state of the line to be transmitted is transmitted to the line state storage device 330 (step S2410).

  When the line state storage device 330 receives the inquiry about the line state from the external ID authentication device 240, the line state storage unit 330 searches the line state storage unit 322 for the use state corresponding to the line ID included in the inquiry (step S2411). Then, the line state storage device 330 returns the retrieved use state to the external ID authentication device 240 (step S2412).

  The external ID authentication device 240 may be in a state where the line corresponding to the line ID confirmed to match the contracted line ID can be used based on the use state of the line ID received from the line state storage device 330. If it is confirmed, the service ID corresponding to the line ID is searched from the authorization rule, and the service ID and the authentication result indicating that the authentication is successful are provided as in the above-described embodiment. It transmits to the device 230 (step S2413).

[Effects of Example 4]
As described above, according to the fourth embodiment, when the line ID corresponding to the external ID included in the service request exists in the contracted line ID, is this line ID still available? If the service request terminal 130 determines that the service is available, a service corresponding to the service request from the service request terminal 130 is provided. It is possible to prevent the provision of services based on the existing lines.

  As described in the second embodiment, when the external ID, the line ID, and the service user ID are registered in the link device 210 in association with each other, the external ID authentication device 240 has the external ID. In addition to the service user ID corresponding to, the line ID is acquired from the link device 210. Then, the external ID authenticating device 240 checks whether or not the line ID corresponding to the service user ID is in a usable state when there is a match with the service user ID in the authorization rule. However, if the service is available, the service providing apparatus 230 may be notified of the authentication result and the service ID indicating that the authentication is successful.

  Now, although Examples 1 to 4 have been described as one embodiment for carrying out the present invention, the present invention may be implemented in various different forms other than the above-described examples. . In the following, other embodiments included in the present invention will be described.

(1) Confirmation of validity of authentication information used to prove external ID In the above embodiment, the validity of authentication information used for bidirectional authentication for authenticating the external ID may be confirmed. .

  That is, when the link device 220 or the external ID authentication device 240 receives a link request or a service request from the service providing device 230, the link device 220 or the external ID authentication device 240 authenticates the external ID included in each request. In order to confirm whether or not the authentication information (for example, a certificate issued by a third-party organization) used for authentication has expired, for example, issued revocation information is acquired via the network.

  If the link device 220 or the external ID authentication device 240 confirms the revocation of the authentication information associated with the external ID included in the link request or service request based on the revocation information acquired via the network, the authentication is performed. A response to that effect is returned to the link request terminal 120 or the service request terminal 130.

  In addition, the link device 220 periodically acquires the revocation information, and if there is an external ID registered in the link storage device 210 that is associated with the revocation information, the link storage device 210 The external ID linked to the revocation information may be requested to be deleted from the registration record.

  In this way, revocation information indicating that the information for certifying the external ID (such as an electronic certificate issued by a third party outside the system) has been revoked is acquired and periodically checked, and this revocation information Whether the external ID included in the service request is linked to the revocation information every time a service request from the service request terminal is received after deleting the linked external ID and line ID from the registration record If it is confirmed that it is associated with the revocation information, the service request terminal that is the source of the service request is notified that the authentication was not successful. It is possible to avoid access from a user whose external ID is invalid (a user who has an external ID issued by a valid external ID issuer but whose authority has been revoked).

(2) Confirmation of registration In the above embodiment, the link device 220 transmits the link request to the link storage device 210 so as to register the external ID and the line ID in association with each other. It may be possible to inquire whether or not registration is possible with respect to the contractor terminal corresponding to.

  As described above, when the external ID and the line ID are registered in association with each other, the contractor terminal corresponding to the line ID is inquired as to whether or not the registration is possible, so that the intention of the line contractor can be confirmed. In addition, it is possible to prevent an unauthorized user unintended by the line contractor or registration due to an unauthorized request.

(3) System Configuration, etc. Further, for example, the configuration of the service providing system shown in FIG. 2 and each component of each device in the service providing system shown in FIG. It is not necessary to be configured as shown in FIG.

  That is, as shown in FIG. 25, when the service providing apparatus 230 is a Web server that provides a moving image distribution service, the functions of the service providing apparatus 230 and the external ID authentication apparatus 240 in the above embodiment are integrated. May be installed. Further, the configuration of the service providing system and the inside of the service providing system, such as integrating the link device 220 and the link storage device 210 shown in FIG. 3 and integrating the external ID authentication unit 223 and the line ID confirmation unit 224 of the link device 220. The specific form of distribution / integration of each device configuration is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.

  Further, the following service providing method is realized by the service providing system described in the above embodiment.

  That is, in a service providing system that receives a link request from a link request terminal in which an external device is inserted, executes a process according to the link request, and provides a service according to a service request from a service request terminal, When the link device 220 succeeds in authenticating the external ID included in the link request, the link device 220 acquires an external ID that acquires the successful external ID (see, for example, step S603 and step S604 in FIG. 6). A line ID acquisition step of specifying a line corresponding to the transmission source of the link request and acquiring a line ID for identifying the line (see, for example, step S605 and step S606 in FIG. 6), the link The storage device 210 includes the external ID acquired by the external ID acquisition step, A link information registration step for registering in the storage unit in association with the line ID acquired in the line ID acquisition step (see, for example, step S608 in FIG. 6), and provision of a service according to the service request is permitted. A permitted service information storage step for storing the contracted line ID and the permitted service information for identifying the service permitted to be provided for the contracted line in the storage unit in association with each other (the authorization rule storage unit 243 shown in FIG. 3); The service providing device 230 and / or the external ID authenticating device 240, when the external ID included in the service request is successfully authenticated, the line registered in the storage unit by the link information registering step A line ID corresponding to the external ID included in the service request is acquired from the ID, and the acquired line If the contracted line ID matching D exists in the contracted line ID stored in the storage unit by the permitted service information storing step, the permitted service information storage is associated with the matched contracted line ID. A service providing method including a service providing step of providing a service according to the permitted service information stored in the storage unit in steps (for example, steps S903 to S911 in FIG. 9) is realized.

  In the service providing method described above, each processing function performed by each device is realized by a CPU and a program that is analyzed and executed by the CPU, or wired. It can be realized as hardware by logic. This can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, the service providing system and the service providing method according to the present invention receive the link request from the link request terminal in which the external device is inserted, execute the authentication process of the link request terminal, and perform the link request. Useful when providing a service in response to a service request from a service requesting terminal using the result of terminal authentication processing, especially for portable terminal devices that can carry a service corresponding to a fixed communication service Suitable for that.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram for explaining an overview and features of a service providing system according to a first embodiment. 1 is a diagram illustrating a configuration of a service providing system according to a first embodiment. 1 is a block diagram illustrating a configuration of each device in a service providing system according to Embodiment 1. FIG. It is a figure which shows the structural example of the link information which concerns on Example 1. FIG. It is a figure which shows the structural example of the authorization rule which concerns on Example 1. FIG. It is a sequence diagram which shows the flow of the link relevant process which concerns on Example 1. FIG. FIG. 6 is a diagram for explaining a processing flow by the service providing apparatus according to the first embodiment. It is a sequence diagram which shows the flow of the link relevant process which concerns on Example 1. FIG. It is a sequence diagram which shows the flow of the service relevant process which concerns on Example 1. FIG. It is a figure for demonstrating the outline | summary and the characteristic of the service provision system which concerns on Example 2. FIG. FIG. 10 is a block diagram illustrating a configuration of each device in a service providing system according to a second embodiment. It is a figure which shows the structural example of the link information which concerns on Example 2. FIG. It is a figure which shows the structural example of the authorization rule which concerns on Example 2. FIG. It is a sequence diagram which shows the flow of the link related process which concerns on Example 2. FIG. FIG. 9 is a diagram for explaining a flow of processing by a service providing apparatus according to a second embodiment. FIG. 10 is a sequence diagram illustrating a flow of service-related processing according to the second embodiment. It is a figure for demonstrating the outline | summary and the characteristic of the service provision system which concerns on Example 3. FIG. It is a figure which shows the structure of the service provision system which concerns on Example 3. FIG. FIG. 10 is a block diagram illustrating a configuration of each device in a service providing system according to a third embodiment. It is a sequence diagram which shows the flow of the link related process which concerns on Example 3. FIG. It is a figure for demonstrating the outline | summary and characteristic of the service provision system which concerns on Example 4. FIG. FIG. 10 is a block diagram illustrating a configuration of each device in a service providing system according to a fourth embodiment. FIG. 10 is a diagram illustrating a configuration example of line state information according to the fourth embodiment. FIG. 10 is a sequence diagram illustrating a flow of service-related processing according to a fourth embodiment. It is a figure which shows the structure of the service provision system which concerns on Example 5. FIG.

Explanation of symbols

10 Wireless AP
20 HGW
30 network 40 network 50 HGW
70 Network 110 External Authentication Device 120 Link Request Terminal 130 Service Request Terminal 210 Link Storage Device 220 Link Device 230 Service Providing Device 240 External ID Authentication Device 310 Transfer Device 320 Used Line Assurance Device 330 Line State Storage Device

Claims (10)

A service providing system that receives a link request from a link request terminal in which an external device is inserted, executes a process according to the link request, and provides a service according to the service request from the service request terminal,
When the external device ID included in the link request is successfully authenticated, an external device ID acquisition unit that acquires the external device ID that has been successfully authenticated;
A line ID acquisition means for specifying a line corresponding to the transmission source of the link request and acquiring a line ID for identifying the line;
Link information registration means for registering the external device ID acquired by the external device ID acquisition means in association with the line ID acquired by the line ID acquisition means;
A permitted service information storage means for storing a contracted line ID permitted to provide a service in response to the service request and permitted service information for identifying a service permitted to be provided to the contracted line in association with each other; ,
When the authentication of the external device ID included in the service request is successful, the line ID corresponding to the external device ID included in the service request is acquired from the line IDs registered by the link information registration unit. Then, on the condition that the contracted line ID that matches the acquired line ID exists in the contracted line ID stored in the permitted service information storage unit, it is associated with the matching contracted line ID. Service providing means for providing a service according to the permitted service information stored in the permitted service information storage means;
A service providing system characterized by comprising:   When the link information registration unit registers the external device ID and the line ID in association with each other, the link information registration unit further includes a registration availability inquiry unit that inquires whether or not registration is possible for a contractor terminal corresponding to the line ID. The service providing system according to claim 1. Revocation information acquisition means for acquiring revocation information indicating revocation of information for proving the external device ID;
The link information registration unit confirms the revocation information acquired by the revocation information acquisition unit, deletes the external device ID and the line ID associated with the revocation information from the registration record,
Each time the service providing means receives a service request from the service requesting terminal, the external device ID included in the service request is associated with the revocation information acquired by the revocation information acquiring means. If it is confirmed that the information is linked to the revocation information, the service request terminal that is the transmission source of the service request is not authenticated successfully. The service providing system according to claim 1 or 2, wherein notification is provided. A user who determines user information for identifying a service that can be used for each user in order to associate the external device ID acquired by the external device ID acquisition unit and the line ID acquired by the line ID acquisition unit. Further comprising information determining means,
The link information registration unit registers the user information determined by the user information determination unit in association with the external device ID and the line ID,
The permitted service information storage means stores the contracted line ID or the user information in association with the permitted service information,
The service providing means, when the user information is stored in association with the authorized service information by the authorized service information storage means, from among the user information registered by the link information registration means User information corresponding to the external device ID included in the request is acquired, and user information that matches the acquired user information is present in the user information stored in the permitted service information storage unit 2. The service providing system according to claim 1, wherein a service corresponding to the permitted service information stored in the permitted service information storage unit in association with the matching user information is provided. A setting information storage unit that stores setting information set in a device under each line in association with a line ID for specifying a line to be managed;
A line ID search means for searching for a line ID corresponding to the setting information indicating the transmission source of the link request from the line IDs stored in the setting information storage means;
Link request transfer means for assigning the line ID searched by the line ID search means to the link request and transferring the link request while protecting the integrity of the link request;
Further comprising
The line ID acquisition unit analyzes the link request transferred by the link request transfer unit, and acquires the line ID from the link request when the integrity of the link request is protected. The service providing system according to claim 1.   In the case where the line ID acquired from the line ID registered by the link information registering unit exists in the contracted line ID stored in the contracted line ID storage unit, the service providing unit Further determines whether or not the line ID is in an available state, and if it is determined that the line ID is in an available state, provides a service corresponding to the service request from the service request terminal The service providing system according to claim 1 or 5. A service providing method for receiving a link request from a link request terminal into which an external device has been inserted, executing a process according to the link request, and providing a service according to a service request from a service request terminal,
When the authentication of the external device ID included in the link request is successful, an external device ID acquisition step of acquiring the external device ID that has been successfully authenticated;
A line ID acquisition step of identifying a line corresponding to the link request transmission source and acquiring a line ID for identifying the line;
A link information registration step of registering the external device ID acquired in the external device ID acquisition step in association with the line ID acquired in the line ID acquisition step in the storage unit;
Permitted service information in which the contracted line ID permitted to provide the service according to the service request and the permitted service information for identifying the service permitted to be provided to the contracted line are stored in the storage unit in association with each other. A memory step;
When the authentication of the external device ID included in the service request is successful, the line corresponding to the external device ID included in the service request is selected from the line IDs registered in the storage unit by the link information registration step. An agreement is acquired on condition that an ID is acquired and a contract line ID that matches the acquired line ID exists in the contract line ID stored in the storage unit by the permitted service information storage step. A service providing step of providing a service corresponding to the permitted service information stored in the storage unit by the permitted service information storing step in association with the line ID;
A service providing method characterized by including:   A registration permission / inquiry inquiry step for inquiring whether or not registration is possible for a contractor terminal corresponding to the line ID when the external device ID and the line ID are registered in the storage unit in association with each other in the link information registration step; The service providing method according to claim 7, further comprising: A revocation information acquisition step of acquiring revocation information indicating revocation of information for proving the external device ID;
The link information registration step confirms the revocation information acquired by the revocation information acquisition step, and deletes the external device ID and the line ID associated with the revocation information from the registration record,
In the service providing step, each time a service request is received from the service request terminal, the external device ID included in the service request is associated with the revocation information acquired in the revocation information acquisition step. If it is confirmed that the information is linked to the revocation information, the service request terminal that is the transmission source of the service request is not authenticated successfully. The service providing method according to claim 7 or 8, wherein notification is performed. A setting information storage step for storing in a storage unit setting information set in a device under each line in association with a line ID for specifying a line to be managed;
A line ID search step of searching for a line ID corresponding to the setting information indicating the transmission source of the link request from the line IDs stored in the storage unit by the setting information storage step;
A link request transfer step of assigning a line ID searched by the line ID search means to the link request and transferring the link request while protecting the integrity of the link request;
Further including
The line ID acquisition step analyzes the link request transferred by the link request transfer step, and acquires the line ID from the link request when the integrity of the link request is protected. The service providing method according to claim 7.

Images